It is human nature to gravitate toward passwords that are easy to remember. But security experts and software engineers say that is part of the problem, leading to breaches like Wednesday’s cyberattack on eBay.

Here are some helpful tips from the pros to achieve what they like to call “good password hygiene.”

The Password Is Dead, Long Live the Passphrase
Kevin Mitnick, a one-time hacker who now consults companies on security, says single-word passwords are easy to hack. “You need a passphrase,” he says, like “SantaMonicaBeach.” Some websites limit passwords to 16 characters so making up a passphrase can be tricker than it sounds.

Alex Munroe, a programmer for Yelp, suggests people avoid common phrases—even when using numbers and symbols in substitution for some letters–or any song lyrics. He relies on random password generators to create passphrases. In other cases, he says, “I take a line from a Korean anime program I saw twice when I was a kid, contort it and that would be a decent start.”

Hold the Salt
“Salting” a password–the practice using variations of a standard password for different sites (WSJfb and WSJtwtr, for example)–is not safe. “People who ‘salt’ maintain little password hygiene,” says Stuart Geiger, a doctoral student at University of California, Berkeley’s School of Information.

Leave the Family and Dogs Behind
Some hackers can figure out your passwords through “social engineering” – the process of learning about your life based on your social media posts. Morgan Slain, the chief executive of SplashData, a password manager company that publishes an annual list of the most used (and least safe) passwords, suggests that people avoiding using the names of children and pets.

Your Clever Keyboard Pattern Isn’t That CleverJohn Van Der Loo, a software engineer in Sydney who created the password-generating website “Correct Horse Battery Staple,” urges people to avoid passwords that mimic patterns on keyboards (qwerty or 2wdcft6) and to use a mix of numbers, letters (in upper and lower cases), punctuation marks and symbols. Stay away from terms that would be obvious to a techy. “‘Entropy’ as a password would be terrible,” he says.

SplashData recently published the Worst Password list and not surprisingly 123456 topped the list, followed by other obvious numerical combinations. No. 2: the word “password” itself. Avoid anything on this list.

Turn on Two-Step Verification
Whenever sites offer “two-step verification,” use it. Many major websites like Twitter, Facebook and Google offer this method, which, after logging in, sends a special code generally via text message to gain access. The upside – a hacker stealing your password can’t gain entry unless the hacker also has access to your smartphone. The downside: it’s yet another step to log in. Here’s how you can activate two-step verification on 11 of the most popular online services.

Use a Password Manager
Most online security experts say the best line of defense is a password manager. The software encrypts and stores — and can help to randomly create — passwords, all of which can be deployed on different sites with one master password. Mitnick prefers KeePass because, he says, the company’s engineers frequently update the software to stay a step ahead of hackers. But he cautions that those using a password manager must install and keep up-to-date anti-virus software to be sure no virus can take root which will allow hackers to remotely access your computer and log your keystrokes.